Paul Vixie wrote: > > i hope CF will differentiate NODATA from NXDOMAIN in their signed DNSSEC > responses, because the difference is absolutely vital to anyone who uses > DNS > analytics as a defense vector.
I'd guess this is pretty unlikely, since a minimal online-generated NXDOMAIN response would require two NSEC records (you have to prove nonexistence of both the queried name and a matching wildcard) and their RRSIGs, and these responses are called black lies, not white lies. Florian Wiemer replied: > It breaks search list processing in the stub resolver. Thanks for pointing that out, it wouldn't have ever occurred to me, and probably didn't occur to the Cloudflare team. However, given all the problems that stub resolver search list processing causes for DNS (excessive bogus queries, TLD name conflicts, etc.) that aspect of NODATA responses seems like a fairly minor issue.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
